In the past couple of years we have seen an emerging field of research focusing on using the intrinsic physical properties of an Industrial Control System process for anomaly detection; however, these efforts have been mostly disconnected, finding little common ground between each other to create a foundation from which other researchers can build improvements.
In this dissertation, we review previous work based on a unified taxonomy that allows us to identify limitations, unexplored challenges, and new solutions. In particular, we propose a new adversary model and a way to compare previous work with a new evaluation metric based on the trade-off between false alarms and the negative impact of undetected attacks, which defines the worst-case adversary model for detection mechanisms based on models of the physical world. We use the metric to compare design choices for detecting anomalies, and design choices for modeling the ``physics'' of the system. We also show the advantages and disadvantages of three experimental scenarios to test the performance of attacks and defenses: real-world network data captured from a large-scale operational facility, a fully-functional testbed that can be used operationally for water treatment, a simulation of a chemical process, and a simulation of a frequency control in the power grid.
We also discuss practical attacks applied to a room-sized water treatment testbed. We implement scenarios in which the attacker manipulates or replaces sensor data as reported from the field devices to the control components. As a result, the attacker can change the system state vector as perceived by the controls, which will cause incorrect control decisions and potential catastrophic failures. We discuss practical challenges in setting up Man-In-The-Middle attacks on the Field Communications Network of Industrial Control Systems, and how the attacker can overcome them.
Finally, we analyze the problem of security monitor placement in industrial control networks, and show that there are locations that allow to detect low-level attacks. Based on our analysis, we design a novel low-level security monitor that is able to directly observe the Field Communications Networks.